How I found IDOR on Twitter’s Acquisition – Mopub.com

How I found IDOR on Twitter’s Acquisition – Mopub.com

Hello everyone, Jay Jani noob here with another noobish finding. As 2k18 has started, I thought to hunt down Twitter for gaining reputation on HackerOne. I tried to find a bug on their acquisition – Mopub.com It was a quite strong site to get a single bug.

I tried to find XSS and more other bugs but No Luck 🙁

Then I tried to find IDOR but they have strong protection. I saw there was a functionality of Report where you can make a report. I quickly made 2 accounts and tried to manipulate Report ID with each other but No success 🙁

So i thought to leave the site as they are pretty strong and i could not find anything here.

But then Luckily I did check request and response in Burp and found that It was an IDOR in report functionality. All I need to do is to Capture the response of Edited Request.

The steps I need to follow to reproduce the Bug are;

PS : Some of my friends did not get this So I need to clarify. Actually there was an IDOR in Report Functionality but when you change the Report ID of Account-A with the Report ID of Account-B, the browser did not show anything and it got blank. Somehow browser did restrict it, i dont know why but in actual it got changed and Report of Account-B can be viewed by Account-A. I got the HTML response of Report of Account-B in Burp Suite's Response. SO by playing the response in original session of browser I can view the Manipulated Report.

1. Replace the Report ID with another ID

2. Do Intercept > Response to this Request

3. Request in Browser > In Original Session

4. And I was able to View anyone’s Report.

So basically this one is simple IDOR but all I want to express is “Always Have your eyes on the Response also“